FERC proposes rule to expand cyber incident reporting

A proposed FERC rule change would expand the definition of a 'reportable cyber incident' for the energy industry. (GUILLAUME SOUVANT/AFP/Getty Images)

The Federal Energy Regulatory Commission wants to expand cyber incident reporting requirements to include any time an adversary attempts to break into an energy company’s networks, rather than only those that compromise the company’s critical operations.

“The reporting of cyber-related incidents, in particular the lack of any reported incidents in 2015 and 2016, suggests a gap in the current mandatory reporting requirements. This reporting gap may result in a lack of timely awareness for responsible entities,” the proposed rule said.

“The proposed development of modified mandatory reporting requirements is intended to improve awareness of existing and future cyber security threats and potential vulnerabilities.”

The rule would require the North American Electric Reliability Corporation to submit modifications to the Critical Infrastructure Protection Reliability Standards, which determine the reporting requirements for energy sector cyber incidents.

At the crux of the proposed rule is the question of what defines a “reportable cyber incident” in the energy industry. According to the current CIP reliability standards, a cyber incident must disrupt core processes in order to be considered critical.

“Under these definitions, unsuccessful attempts to compromise or disrupt a responsible entity’s core activities are not subject to the current reporting requirements,” the proposed rule said.

This definition may also leave out cyberattacks designed to steal information or create openings for a future, large scale hack, meaning that incident reports would not give early warning by recording that activity.

The new rule was proposed after the Foundation for Resilient Societies filed a petition on January 13, 2017, that FERC institute a rule requiring an enhanced Reliability Standard for malware detection, reporting, mitigation and removal from the Bulk-Power System.

“In support of its petition, Resilient Societies asserted that evidence in the public domain shows that electric grids in the U.S. and critical infrastructure that depends upon reliable power are increasingly at risk from malware, resulting in a threat of widespread, long-term blackouts,” the proposed rule said.

“Resilient Societies asserted that Bulk-Power System assets are interconnected with the public internet, which could allow foreign adversaries to implant malware in electric utility computer systems.”

NERC, the International Transmission Company and trade associations contested this assertion, claiming that current standards or planned alterations to those standards already address the threat that malware poses.

Kaspersky Labs and David Bardin, a retired member of Arent Fox LLP and energy and utilities expert, supported the Resilient Societies petition. With Kaspersky Labs asserting that current standards “do not sufficiently address malware protection as a critical component in securing BES Cyber Assets and Systems.”